|
|
Posted by Curt Zirzow on 10/04/39 11:05
* Thus wrote Jason Morehouse:
> Richard Lynch wrote:
> >Jason Morehouse wrote:
> >
> >>Hello. I'm not sure if this is an apache problem or php... but
> >>wondering if anyone has come across the same problem.
> >>
> >>-rw------- 1 root root test.html
> >>-rw------- 1 root root test.php
> >>
> >>Trying to access test.html via a browser servers up the apache 403 error
> >>page. The test.php however produces:
> >>...
> >
> >Apache (and the PHP Module within it) run as a specific user.
> >
> >That user is not (and SHOULD NOT be) 'root'
> > ...
> >
>
> I don't need a lesson in file permissions, thanks. Apache runs as
> nobody. The problem isn't trying to get apache to display test.php,
> it's having it display the proper 403 error page, rather than a php
> error when it doesn't have access to a page.
Your Original Post did not state that you knew why the error
occured, we can't reminds after all.
>
> Each page, test.html and test.php have the same permissions. The html
> page gives the expected 403 error message when I try and access it
> (thats what I want). The other, php script doesn't. This is a security
> concern for me as it reveals paths on my system in the event a page has
> the wrong permissions. Why does apache not server the 403 on the php
> page? Maybe this is better off in the apache list.
It is recommended *not* to have 'display_errors=on' for a production
server for this very reason. Have the errors go to syslog or
something similar.
Curt
--
Quoth the Raven, "Nevermore."
[Back to original message]
|